Podcasts
The BlueHat Podcast
Ep 48
The BlueHat Podcast 3.5.25
Ep 48 | 3.5.25

PoCs, Patching and Zero Day Quest Participation with Michael Gorelik

Show Notes
Transcript

Nic Fillingham: Since 2005, BlueHat has been where the security research community and Microsoft come together as peers --

Wendy Zenone: -- to debate and discuss, share and challenge, celebrate and learn.

Nic Fillingham: On the BlueHat podcast, join me, Nic Fillingham --

Wendy Zenone: -- and me, Wendy Zanoni, for conversations with researchers, responders, and industry leaders, both inside and outside of Microsoft.

Nic Fillingham: Working to secure the planet's technology and create a safer world for all.

Wendy Zenone: And now on with the BlueHat podcast.

Nic Fillingham: Welcome to the BlueHat Podcast, Michael Gorelik. Michael. Thank you so much for joining us.

Michael Gorelik: Thank you for having me.

Nic Fillingham: We would love to hear a bit about you. If you could, introduce yourself to the audience. Who are you, and what do you do here?

Michael Gorelik: Sure. Nic, thanks. My name is Michael Gorelik. I wear a lot of hats. Security researcher, CTO, leading companies founder, vulnerability researcher, red teamer, penetration tester. Whatever you think of, I've probably done and tried in my life. Currently, I lead Morphisec for the last 11 years, which I founded. And I lead additional company as well for services purposes. And I'm doing a lot of vulnerability research, as you heard. And part of it, it's a lot of work finding out vulnerabilities in Microsoft products.

Wendy Zenone: Where do you find the time to do all of this?

Michael Gorelik: I'm being asked every time the same question. It's never boring. It's boring is the time; right now is the only time, right? In 20 years, and God knows where we'll be. You need to utilize it 200%, so I'm trying to do my best. I done a master computer science degree, 11 patents, a lot of forensic evidence with different authorities, FBI and other authorities, helping provide evidence against the bad guys, identified supply chain attacks. So it's interesting. It's fun. I enjoy my time. And the more you enjoy your time, the more you can do.

Wendy Zenone: What started that? Was there a moment where you're like, I could go to the dark side, or I could build some companies and help other companies? Because I'm sure that most hackers have that moment, that moral dilemma, like, this could go this way; this could go that way. I know for a fact many people I've talked to said that. So wondering, did you have that moment within yourself when you were younger?

Michael Gorelik: I just had someone yesterday telling me the same thing when my customers, I just finished a presentation on the ransomware landscape, getting into the details of ransomers. And this guy said, You sure you will stay on this side? You don't want to get some additional income? So, yeah. Those moments are definitely frequent. It's not a single moment. A lot of those moments happen because you see all this business going on the other side and the money that happens. But I always were on this side of a lovely family, three kids. I love the freedom to enjoy my stuff, my doing, help the society. So I'm enjoying and trying to help. As long as I'm allowed to do this additional advanced activities that I do and definitely will continue. Money is not what makes you happy eventually. It can help, but it's not the main thing.

Wendy Zenone: Right. You have to enjoy what you're doing, and it sounds like you really do.

Michael Gorelik: Yeah, yeah. And it's all started -- you asked me about where did it start? As a family thing. So my father's actually were developing until he went to pension in the Israeli Army industry, low-level stuff for things that we cannot disclose. So I was looking at bits and bytes from age of 12 or something like that. So always kind of this passion for doing better, this competitive nature, proving better, doing better, and then become just the trade.

Wendy Zenone: That's awesome. And you said you have three children. Are they also kind of going down that path or they do something totally different?

Michael Gorelik: So one, the older one is going right now for high school, and definitely takes that path for now. But God knows. Things change so fast with the teenagers. The other girls, a bit too young. But we'll see.

Wendy Zenone: Right. There's still time. I mean, I think, from my experience, it's just that one thing that catches your interest. So there's going to be one thing, and she's going to go like a rocket figuring out what she's going to do, whatever that is.

Michael Gorelik: I don't know how much traditional path and security you may have. The dynamic threat landscape change. The requirements change with the Gen AI, and before there was a supply chain and the ransomware and then the exploit cats. In the first infrastructures, you went through so many changes. And I agree with you. You need a hook. And I get those hook very early, obviously, from computer science from the family. But one of my first jobs was part of Deutsche Telekom Laboratories for research. They were founded by the Ben-Gurion University in Israel. And it's a very interesting concept. They were researching as a small projects. So you kind of get to experience a lot of different things. And they research for bigger companies for new, novel kind of issues. You touch on the IPv6 and you touch on the network and you touch fire rules and different languages and optimization, etc. You really go through a vast experience of many different categories within a very short time. So every project is like couple of months. So I had the experience of seven years trying out different type of projects. And, as a result, you just can cherry pick what you like more, what you like less. It's not an experience each person, every person is lucky to have. Many times you kind of choose your path, whether you like it, maybe you don't, and then you choose a second. And here is just get the experience of everything, of every possible language.

Wendy Zenone: Oh, that's awesome. It's a buffet. You had a buffet of -- right.

Michael Gorelik: Yeah. Exactly, yeah. I was lucky enough. We had great guys there.

Nic Fillingham: Michael, we have many avenues we could take you down on today's conversation. You were a presenter at BlueHat 2024 late in last year, in October. You have also submitted a number of cases, and Morphisec has submitted a number of cases to MSRC over the years. But one thing we'd love to start with, at least in today's conversation, is about your upcoming participation in the Zero Day Quest. Now, Wendy, I'm going to ask you to explain, if that's okay, to our audience what is Zero Day Quest before we hammer Michael with some more questions? Can we say ZDQ? It's just a little quicker. Or do we have to say Zero Day Quest?

Wendy Zenone: Zero Day Quest. We are Zero Day Quest.

Nic Fillingham: Zero Day Quest.

Wendy Zenone: Zero Day Quest. It's a world's biggest hacking event. It's an invite only Microsoft event where we invite folks that qualify, such as Michael. And it's going to be three days of hacking with a bunch of other fun activities that we're not going to talk about yet because still being solidified. And it's a surprise, Michael. But it's AI and cloud. And it's so huge, I can't even -- I am neck deep in planning of this, Michael. But you're going to have a blast. But do you think you could tell us a little bit about how you qualified?

Michael Gorelik: Yeah. Sure.

Wendy Zenone: With whatever you can share, of course.

Michael Gorelik: No. Definitely. The things that are public I can summarize. So, overall, just the motivation, where it comes from, my main company, Morphisec, which I lead and fund and has done for a while but one of the main things we do is, like, protecting against exploitation and vulnerabilities. Part of the work that we do, me and my team -- and, by the way, my team is also invited -- is basically exploring vulnerabilities because we want to provide better protection to our customers. And one of the more important things, we investigate the existing solutions to those vulnerabilities, basically many times, not only for Microsoft but Microsoft obviously one of the largest platforms. We review the fixes to the existing vulnerabilities. And when we review those fixes -- and it happens quite frequently -- we find out that they may be not complete or not at all complete. There is always reason for that. Many times the fixes are not complete because of pressure, time pressure, conflicts, compatibilities with additional applications. Every vendor that releases patches are taking his time to understand whether this patch should really get to the customers in all the platforms. And when we investigate those patches, we find out, again, additional vulnerabilities. We continue to research. We identified how this patch is not complete, and how can we bypass those in complete patches and find out additional ways to execute and get to the victim environment and all this done with the motivation, obviously, to provide better protection to our customers. So the first presentation was DEF CON during the year, which we presented the main stage, together with Arnold on many of the vulnerabilities that we submitted to Microsoft. And most of them were remote code execution. I'll touch upon that in a second. And then we were accepted to BlueHat, which was amazing event, I have to say. I mean, one of the best events that I participated or presented, well thought; and I like the researchers and the people and great environment. So we presented there already with additional vulnerabilities that we identified. And all this, obviously, my team is very limited because we do that many times outside of all the other stuff we need to do. So I wish we could do vulnerability research 24/7. We would find out much more. But during that time, if I'm not wrong, around six RCs and we submitted around 10, 12, 13, I don't know, previous excavations and DLMs. And this January, when the Zero Quest was announced, we submitted one more overflow that can lead to remote code execution. And we are working hard to have additional vulnerabilities obviously disclosed, working very carefully, according to the disclosure policy. And I have to say, with all the other vendors, Microsoft definitely cooperates the best of any other vendor. So we have a very good, coordinated government disclosure plans and try to share as much as more information we can so that the work will be easier on the other side and the fixes will be easier. This is some of the definitely important things because we want to see the fixes coming.

Wendy Zenone: Right. I have one follow-up question on that. And it sounds like you and your team, you have a lot of integrity when it comes to finding the vulnerabilities but also researching the fixes. And, oh, you found more vulnerabilities while researching the fixes. Is that as common? It's been years since I have run a bug bounty program myself. But I remember receiving the reports with suggested fixes, and that was pretty much it. It wasn't often. There wasn't a lot of detail. There was because you want it to be fixed so that you can get your bounty. But it sounds like you are taking it, like, the integrity of your work to a little bit more of, like, a VIP level. Like, it sounds much more involved because you care. Is that accurate?

Michael Gorelik: We do care. We care a lot. I mean, seeing everything possible, many times we get to environments as part of incident response and protection. And seeing those adversaries on the other side doing the best they can on their side to create havoc and disrupt while we see the victims and the customers not having too many tools, really, to protect various people, processes, tools, and so much missing gaps. So, yeah. We do care. We care for the last 20 years. Do as much as we can. But I have to say that we are well-connected with the fellow researchers community. And many of my colleagues are very similar. They care a lot. Sometimes even care, even myself, care too much, in a way, because we are getting passionate and trying, okay. Start fixing it. Or we, like, will minimize whatever disclosure time, because sometimes we see on the other side is also, like, less priorities. And all this deprioritization leads to less attention. And you want your issue to be fixed. You want that to be finalized. So it's interesting kind of communication, love/hate communication. But we do really care.

Wendy Zenone: It's a symbiotic relationship.

Nic Fillingham: So, Michael, the case or cases that were submitted and during this Zero Day Quest qualification period, have those been resolved yet? Are you at a point where you can tell us about them in some degree?

Michael Gorelik: Yeah. The last case were resolved. We do work on couple of things right now in parallel that were not submitted yet. All the cases that we have submitted are resolved, and the final one was resolved a month ago. So we can talk about that, definitely. It was a very interesting case. But, in continuation of a previous nonfixed vulnerabilities, it takes many times couple of patch cycles to fix the same cause of vulnerability. So, yes; it's cool. Many different numbers, CV numbers. And it's impressive and sounds like, Oh, you found out lots of vulnerabilities. And we do. But many times it's kind of coming from the same vulnerability but different control flows. And one of those were fixed just January. Before that, it was November, December, and beforehand others. I specifically right now I'm very much -- we were focused on Office 365, Outlook, anything endpoint. Like, it's easier for us to investigate the patches and understand the impact and debug that kind of things. But recently I started to look also into SharePoint. So, specifically, we don't have any disclosure yet. But it's a very interesting attack surface, as well; and it's kind of getting you very close to the cloud side of things. And there are also additionally interesting attack surfaces right now with the introduction of AI. But not only the LLMs, also the SLMs on the endpoint itself are interesting. We're looking at that. Attack surface is really huge, and focus is important.

Nic Fillingham: So the submission that was part of Zero Day Quest, was that the continuation of a case that was initially submitted; and then you continued to work with MSRC to look for either regressions or issues with the patches and getting those cleaned up? Or was this a brand new piece of research that was submitted?

Michael Gorelik: So we actually have been accepted for Zero Quest because we are categorized as the top 10 researchers that submitted the most vulnerabilities in 2024, critical vulnerabilities. So up front we didn't need to submit anything to Zero Quest, really, to be accepted. This was kind of automatic acceptance. Not a lot of guys got that invitation automatically. We were one of them. But we did submit after the hand additional vulnerabilities just because we had to disclose it and fix it. So it was a bit easier for me and my team, but we are not stopping there.

Nic Fillingham: So, Michael, the research that your company does and that you do, you talk about further researching patches or perhaps putting patches through sort of additional testing to make sure that they do truly resolve what they're designed to resolve. Is that primarily for research that you and your team have created, or are you going and then testing patches from other research? I guess, is your business model or is your area of focus, hey, let's go and stress test patches, in general; or are you just doing that as a sort of a really thorough management of the research that you initially have created and are submitting into Microsoft or other vendors? Does that make sense?

Michael Gorelik: It makes sense. That's a great question. We obviously cannot stress test all the patches in the world.

Nic Fillingham: Right. My next question was going to be, how do you not have to -- how do you narrow that down?

Michael Gorelik: Right. So we do provide a full kind of anti transform platform. And, as part of that, obviously, I have an advanced team of researchers and myself included. And when we are talking about the end result, the ransomware, we also need to talk about the initial access, the first kind of execution. How would adversaries get into an environment? What would be the most probable exploitation they will use? And what is probable exploitation? What is probable exploitation for vulnerabilities? This is a big question. Obviously, it depended on how easy it is to exploit, whether it leads to remote code that is executed on the environment with zero click. If a PoC is exposed and available, it allows the attackers to reproduce it and execute it. And many more factors, like how popular is this attack surface, this application on your target systems, right, so that you will not need to be piggyback on a specific target. So taking into account all those kind of calculation factors into account, you get to a specific conclusion that this type of vulnerabilities, you need to get a bit into the details, into the weeds. And what obviously Microsoft attack surface, Microsoft applications are the most popular among Windows clients, which are the most of our clients. And Microsoft applications, like Office 365, like SharePoint and the things that you use daily are definitely an interesting target for adversaries and attackers. This being an interest target is also interesting for our research. So if we hear out, usually, the trigger of our research is that there is a severe remote code execution on a popular platform that has a PoC out. We see that there is a PoC out, some kind of code that can reduce it. This becomes interesting because we are right now in a race of time. Who first finds out the next vulnerabilities? Is it us or the adversaries that do the same work in parallel somewhere in Russia or China or God knows where. They have the time. They have the money. They have the motivation, right? In parallel, this is exactly what we do. And most of our CVs that we disclose are based on the initial one at each category or at each type of vulnerabilities that we covered. It started from a PoC that was released on a single CV by some of the either vendors or already exploited vulnerabilities in the wild. Hope it makes sense.

Nic Fillingham: It does. So a lot of the research that you and your team do is taking a jumping off point from, for example, a remote code execution that is disclosed or discovered and where there is a proof of concept. And you're taking that information which has been made public somehow or at least made its way into the public sphere and, from there, you're using that as a jumping off point to say, well, what else can happen? How do we make this thing work? How can we sort of exploit this in ways, in new and interesting ways and then obviously submitting that to the impacted vendor, whether it's Microsoft or someone else. Is that correct?

Michael Gorelik: That's 100% correct. And, again, it's a race of time, right?

Nic Fillingham: Yeah. But you know what I loved about that is that I think we speak to a lot of researchers on this podcast, and one of the questions that we often ask them is, where do you start? Or how do you get started? And I think that might be the first time I've heard or at least recently someone say, Well, look. Don't start with a blank slate. Don't start with a blank piece of paper. Start with a PoC that is being released or some other sort of exploit that you're hearing about for the first time in the zeitgeist or on Discord or on Reddit or whatever. And just go play with it and sort of start with some other piece of research and see where it goes from, which seems very obvious. But that feels like a really good piece of advice for anyone out there looking to dabble.

Michael Gorelik: Yeah. It's don't reinvent the wheel, in a way, right? And it's all what others are doing, the adversaries are doing exactly that. I have my research colleagues obviously creating fuzzers. It's a great additional way to try and find vulnerabilities. But our goal is a bit different. Bounties is nice. Obviously getting money is nice. But our initial goal is to protect people and protect customers. And because this is the initial goal and not necessarily getting more bounty, we start from those things that are more severe and more probable as a target.

Wendy Zenone: I haven't even thought about that scenario of not starting from scratch but also that the adversary is doing the same thing. They're looking into things that were released and poking at the same thing. So it is a race condition. But I hadn't -- as Nic said, it hasn't been put in that way for us, for me to be, like, oh, my God. I never thought about that. So thank you for what you do.

Michael Gorelik: Yeah. It's a different perspective on that but definitely reasonable, right?

Wendy Zenone: Yeah. And Morphisec, what does the name mean?

Michael Gorelik: So Morphisec is coming from -- we actually changed the name at the first, I think during the first year that we founded it, like 11 years ago. Morphisec come from the word morphing, like changing.

Nic Fillingham: Oh. I thought you said morphine for a second there.

Michael Gorelik: Morphisec.

Wendy Zenone: Like the drug.

Nic Fillingham: I thought you meant morphine, pain relief medication.

Michael Gorelik: Let's call it polymorphism, right?

Nic Fillingham: Love it. No. Morph, to change.

Michael Gorelik: When you continuously change. And the idea is basically something that we were playing with before the company. There is a continuous change cycle. The victim tries to defend against the attacker, which continues to innovate. And then you have those vendors that try to protect against that by introducing continuous updates, whether those are signatures, tactics, TTPs, etc., kind of like a cat and mouse chase. And we wanted to break that cycle, never-ending cycle. We wanted to cause the adversaries to chase after us. And we were thinking, how do we change that game, break that continuous cycle? I said, okay. Let's create the attack surface that make it unpredictable. Let's introduce polymorphism. Let's continuously change that back to surface, how the credentials have stores, how the function are looking so that, when you try to exploit it, you exploit something that just changed a moment ago. So whatever you learn at your home and prepared your research is not effective anymore. The second component, that is also introducing deception. Okay. So we change something, change the attack surface. Let's put in place kind of booby traps so that the attacker will find what he's looking for and will be caught, right? So -- and this concept is like moving to our defense. After 11 years, it's fully supported right now by Gartner. And many other companies in the last two, three years are also got into the same place. Some are morphing the IPs. Some now morphing on the endpoint attack surface. Some are changing containers continuously. There's enough space for that. But the core technology is preventive technology versus kind of detection and response, which are also important; but it's also important to prevent things from happening up front.

Wendy Zenone: That was a great answer. I did not expect so much detail to go into the name, but that was amazing. I liked how much thought was put into that.

Nic Fillingham: Wendy was hoping for, oh, it was the name of my dog.

Wendy Zenone: Yeah. Great. Like cool little mix.

Nic Fillingham: The dog's name is Morphisec so.

Wendy Zenone: Next question.

Nic Fillingham: An obscure Marvel character from Action Comics. No. That's DC. Oh, sorry.

Michael Gorelik: You know Morpheus, right? What is it, right?

Nic Fillingham: Yes. There you go.

Michael Gorelik: The red pill or the blue pill.

Wendy Zenone: Right.

Michael Gorelik: Or the one -- I don't remember what was the other pill.

Wendy Zenone: I think it's red and blue. The red wakes you up; is that right? Isn't the red one --

Michael Gorelik: I remember one of the pills will wake you up. And I wanted to be this. You want to wake up. Yes. That's cool metrics.

Wendy Zenone: Yes. I have to watch that again. Well, you don't know a lot about the scope or what to expect with Zero Day Quest. So what are you looking forward to, with the limited information you have, aside from that you're going to be spending three days hacking; and that's how you know.

Michael Gorelik: So I will not name or mention the other organization that has also an annual competition. Very interesting kind of.

Nic Fillingham: Oh, Dave and Busters?

Michael Gorelik: But we are kind of expecting the competition to be kind of in that direction. We don't know, obviously. And you are not sharing with us all the details, the juicy details. We are doing our best to prepare with incentive to see what kind of new vulnerabilities we can discover. But we are going there like blinded. We really don't know what to expect. But we'd love the challenge of everything.

Wendy Zenone: Yeah. Very soon you will know.

Michael Gorelik: Yeah.

Nic Fillingham: Michael, I should have found out in advance whether you and your team were coming because you were top leaderboard submitters versus submitting during the qualification period. Turns out it was both. But I was thinking we'd spend a lot of time talking about that specific case. What I did mention up front, though, is that you were a recent presenter at BlueHat. And so I wanted to maybe if I could talk a little bit about your session at BlueHat and how maybe that ties into some of the things we've already covered with the way that you and your team at Morphisec approach security research. So, if you go up on YouTube right now, we'll put a link into the show notes. You'll be able to see a full recording of that session. It was Session 8. I've got it here in front of me. Outlook, Unleashing RCE Chaos, and there's a bunch of CV numbers there. Michael, could you give us a bit of a recap? If you can think back to October 2024, what was that session about?

Michael Gorelik: Yeah. So exactly like I described, our research starts from investigating disclosed, non kind of disclosed, very dangerous vulnerabilities. And, during this BlueHat, we kind of decided to focus on two categories of vulnerabilities. Each category involved couple of parses, couple of vulnerabilities which are critical that we identified. And in each of those categories, it started from one disclosed vulnerability. And the first one was extremely interesting, was disclosed by the vendor NetSPI. And it involves basically remote code execution through form injection. And form injection, in a way, it's you open your Outlook, not only Outlook; by the way, you see those grayish, maybe grayish forms or the buttons, and you need to fill your names. So it's much more than -- I'm trying kind of to simplify, a lot of simplification. I hope people are not hating me for that.

Wendy Zenone: I'm not.

Michael Gorelik: But it's more than just grayish. It has functionality behind. If you get the kind of a calendar invite, you hear like a pop up or a ring. And if you getting kind of a message of recall, just send by mistake something and you want to send a special message of recall, then you have something that runs behind and deletes the email from the inbox. So it's much more sophisticated than just I'm sending an email. And one of the goals were, how do you inject this form as a malicious form? How do you compromise your victim by introducing him a controlled your own form, your own grayish form that executes something for you. And NetSPI later on, with all the other CVs, we utilize the mechanism introduced by Microsoft that is responsible for synchronization of any of those changes so those forms on all your endpoints. So, if I compromise your credentials right now -- let's say you give me your credentials because you just been phished, or I just got them through in TLM, I basically can log into your account, Office 365 Outlook account. But doesn't mean that I can run a malicious code within your endpoints that you are logging in. Let's say you have an Outlook on your endpoint on your laptop. It doesn't mean that I can run a code on your laptop. It just means that I can log into your email. But the thing is that Microsoft, when I do some changes -- let's say you create a draft email right now in your Outlook.

Nic Fillingham: Wendy's doing it right now.

Wendy Zenone: I am.

Michael Gorelik: Yeah. And you open it on your second device, just because you probably have some MacBook there, edition 1, and you open there Outlook, as well, and you see the same draft email there and there, right? It's synchronized through the Exchange. The same way you try to change some forms, do some modification, you want to hear a different sound when you have a calendar invite. It's synchronized everywhere on all your endpoints. And this map is synchronization protocol in a way. If I am compromising you and I create this malicious form on my endpoint because I open your inbox, it will be synchronized to your endpoint as well. So this thing, okay, we're good, done. Propagate to your environment is not a problem. Now I need to trigger the execution of that form. This is more of a problem. So I need to send special message that will do the beep. It will trigger this malicious form from execution. And, theoretically, there's a way to do that. You just send an email with the name of that form; it will trigger. So, practically, it's all possible. Microsoft has safeguards to keep you from doing that, from anyone that will compromise your credentials. If you create a special, like, forms that will trigger executables behind, they have a deny list that you cannot create a form, or basically not even create a form. You can create a form. It will be propagated to you. You cannot trigger the execution of this form if it has, like, a special executables behind, if it has more malicious functionality. And this deny, this is the core of not all but almost all the vulnerabilities in this category that we discovered. The first time NetSPI introduced the bypass of a denialist validation, they introduced basically a reference path. And then, because a denialist just checked, had an exact validation of this condition, it failed in the reference path, basically created the same thing; and they bypassed. We understood the deny list validation wasn't fixed. They just added a check for the reference validation. Now, we cannot hate Microsoft for doing so because it's a pressure of time. You need to release very quick fix. Otherwise, it will be exploitable in the wild. So it's how complete Do you want to have the fix, or how fast do you want to protect your customers from exploitation? So we identified, okay. So this reference path was fixed. But the backslash, if you added at the end, due to how Microsoft operates and due to how -- I will not bother you with the technicalities, but some functions will just remove the backslash; and you will have the same results. So we added backslash and bypassed again the deny list, and the execution of the form succeeded. So Microsoft introduced a fix to check if there is a backslash in there. But then introduced during that fix additional indication of better validation for those conditions. So we had -- due to this interaction, that there are additional risks to bypass it. So we introduced the bypass to that, and basically this new technique of DLL hijack that goes behind that still executes the form. At this category, we basically ended. I continued with a different category. But on this category, I believe I didn't expose the last CV. The last CV that we introduced in January was a continuation of a form. But this time we found that there is, like, an empty form. We didn't reveal details so far. It's the first time I'm talking about that. But it was already patched, and we already passed the month of adapting those patches. But we identified that we can take the same recall form that exists on the endpoint environment, strip it, and load it so that basically the output, when I close that form, it had a pointer that doesn't take into account an empty form. And it will crash. So that will crash, and you can control the crash to execute malicious code. And we didn't share that details so far. I'm not sure we'll get into the details more than what I just disclosed, but the other category also were due to my colleague, actually, Hai Fabi, submitted a lot of CVs, as well, as part of the Zero Quest. And he was the one that exposed monitor remote code execution as part of his work in checkpoint. And we checked the patch for that, and it's actually wildly exploited today. And you see that it is the criticality of this exploit increased very high, and we identified that it can be easily bypassed. The patch, the fix that severe easily bypassed by introducing different additional signs of this compound moniker. And here on also, again, we went to arrays of like three or four patching cycles until we fixed, got to complete fixes. And right now one of my team members actually analyzes additional way to bypass that. We didn't disclose anything or any details, and I will not do that right now. But there is definitely something cooking so.

Wendy Zenone: Wow. This is a whole thing. It's like --

Nic Fillingham: Yeah. Well, again, like, I love hearing the pattern there, Michael, where you say NetSPI released something, and then you and your team went and ran with it and see if you can get up running in the, you know, in your test environment. And can you get around it, and how do you exploit it? And then it gets submitted, and a patch is released. And then you go and test the patch and stress test the patch and work out how to get around the patch. And you found that, oh, add a slash, and you get around it. And then another patch comes out. And this seems to be a pattern that you've mentioned a couple times here in this conversation. And I'm sure there are a lot of researchers out there that follow this same formula. Do you as an individual and do you as leading your team and leading Morphisec, is this sort of a philosophy that you take to every project and every piece of research and every client, the whole sort of, hey, look. We submitted a thing. Patch was released, but we're going to go and stress test this patch. I'm going to try and get around it. I'm going to try and break it. And at what point do you say, like, okay. We're happy that this thing has actually finally been resolved. On patch 7, they finally got it. Like, do you do it every time? And at what point do you decide that this is actually finally being resolved?

Michael Gorelik: Yes. That's a good question. So our approach is kind of a hybrid. Yes, there is some stressing part in that because it cannot do everything manually. But, still, one of the more important things, we limit our focus on the number of vulnerabilities we touch. And this allows us to reverse engineer, really, to get into not only stress patch but to reverse code, understand the fix. And this is not something that many regular researchers can do. It comes with a lot of experience, understanding and reversing and identifying what is the code that was introduced, the additional code, not just what are the bytes. And this helps us to avoid too much stressing, too much shooting in the dark. We can focus better on exactly what we want to test. Now, you asked correctly. I'm not going for the seven patches usually end up left on the three, number three more or less because we need to deviate our attention, and we have so much work aside of just vulnerabilities. We need to provide protection for malwares and ransomwares. And vulnerabilities is just 10% of our business, maybe 20% and hard. So the work we produce today and all the CVs we find is only 10% of our time. I wish we could have more, but we are not paid for that. It's something that we are doing because we want to help because we really care. But we are paid to provide the ransomware protection to our customers, and this is what we need to do most of the time. Yeah. So we are trying to, let's say, on the number three, more or less magic number. I think that's good enough. If we see that it takes too much time, if it takes more than two weeks, let's say, to get into the weeds and identify potential directions, we are basically at least three, four, five potential directions. If you don't have enough and it takes too much time, we just throw it away and continue with the next one.

Wendy Zenone: All right. I need to ask. This is my favorite question to ask everyone. Outside of security, what do you like to do besides play the piano?

Michael Gorelik: Security is my life. And, as I said, I'm trying to do things outside Morphisec. Provide services, consultations, incident response, assessment. My kids take a lot of my time because, I mean, I love helping them. They are very much math-oriented. And obviously meet with friends. I moved to US around seven years ago. So travel in US. It's beautiful. There are so much to see, and I saw so little. So we like to travel more on the north side but also Orlando, Florida, Disney World, Universal. Travel as much as we can during that specific time. I wish I could find time to read a book. Unfortunately, I don't. But I envy those that find the time to do that as well.

Wendy Zenone: It's a commitment to read a book. Like, when I finish one, it takes me a while to start another one because, like, you get into, like, flow. And then just start again and get hooked, yeah. It's a whole thing. So I get it.

Michael Gorelik: And me.

Wendy Zenone: It's been months since I read one.

Nic Fillingham: I would love to ask this one final question, if that's okay, is you mentioned earlier that you and your team will be at the Zero Day Quest in part because of the volume and quality of content that you submit to MSRC, being a top submitter and being on our leaderboards and our MVR status. So did you have any sort of final sort of tips, tricks, or sort of guidance that you would want to pass on to other security researchers and hackers that are out there that would love to one day be in your shoes and be able to come on up to the next Zero Day Quest? What advice would you want to leave folks with?

Michael Gorelik: That's a great question. After I finished my DEF CON presentations in August, I had like a line of youngsters coming asking the same question. Where do we start? Like, how do we get there? What is the first book we need to read? What is the first whatever we need to cover to find out? And it's not an easy question always because it's really kind of fits to the person. But my personally opinion, you have to like it. You have to love it. You have to get into the weeds because you want to get into the weeds. I employed more than 100 people at a time, and I had a lot of different researchers coming. And those that are successful today, really successful -- and you can find them in leading companies today -- many of them went under my direction at start. They came with a lot of motivation, a lot of wanting. And very quickly you need to identify this works; this doesn't. Try another piece, right, another category, another type of experience because cybersecurity is huge. And when you find something that you like -- and I don't know what is the proper word, suicide on that, there's a different word in English. I'm trying to translate that.

Nic Fillingham: Hang on. When you find something you like, oh, jump on it.

Michael Gorelik: Jump on it. Sorry.

Nic Fillingham: Is that what you mean?

Michael Gorelik: When you find -- yeah. So when you find something you like, jump on it. And don't think about risks. I mean, I'm doing it all the time. I have a family. I'm single worker, and I lead two companies. And one, again, this is a huge one, is a huge company. And I'm doing a lot outside and taking the risk every day because I like it. If you do not take the risks, you do not jump on it, you will not have results sitting back and learning online course. So there's a lot of PoCs. Just execute that, run it, see the results. Now try to play with it a bit. What changes? Be interested and be curious.

Nic Fillingham: I love that advice. And just jump on it. I guess I have a follow-up. My follow-up is that, if you jump on it and you don't feel like you love it and you don't feel like you're fully engrossed and just grabbed by it with everything, do you keep going? Or is that a sign that maybe you should be looking at doing something else?

Michael Gorelik: Sure. At start, nothing works. At starts, there are a lot of failures. And at starts, it's -- for many people it's very easy to raise their hands and say, Okay. I give up. Don't give up because your first year or two, the work you're doing is not for your success right now. It is for your success later. So you need those failures to succeed, and the more you get into those deals and fail, it doesn't necessarily a bad thing. You will learn how to succeed later. You will learn how not to repeat the same thing. So, yes. If you are the first two, three years of your life in the security landscape, security job, go and fail every day. I mean, I would fail and fail and fail. The more you fail, the more you learn. Believe me. Third year, fourth year, fifth year you will start to succeed like crazy because of all those failures. You cannot expect to succeed at the first year you try. But you will succeed at the third, the fourth year, 100% if you continue with your failures and will not give up. I think this is probably even better advice I can provide.

Wendy Zenone: Stay on task. Well, this has been awesome. We are actually at time. So thank you, Michael, for joining us. We want to have you back as many times as possible because you're a wonderful guest. And you have so much knowledge, and I like how you explain it. You explain it in a way so folks that do get it get it, and the folks like myself that don't get it get it. So thank you. Where can folks that are listening find you? Are you on social media? Do you have a website, anywhere that folks can follow some of the things that you've been working on.

Michael Gorelik: Yeah. So I'm obviously on LinkedIn; X, previously Twitter. I have my own GitHub. You can find as M Gorelik. Maybe I can share links later on from my GitHub. Overall, I'm New Jersey, New York. So if anyone wants to meet and get in touch, I would love to meet the fellow researchers or help or promote guys that are very much motivated. And my service company, C1 Bus, I also provide the option for internships to try and get the first experience if they are really motivated and want to prove themselves. And usually I find, like, four years senior college guys that want to get this first experience. In Morphisec, obviously you can get in touch. I'm there, whether through the product itself that we can sell or even get in touch with directly if we can provide some kind of consultation. But, yeah. LinkedIn will probably be the best option.

Wendy Zenone: Amazing. Thank you very much, and we look forward to having you next time.

Michael Gorelik: Thank you, Wendy. Thank you, Nic. It was amazing.

Nic Fillingham: Thanks. Michael.

Michael Gorelik: Thanks.

Wendy Zenone: Thank you for joining us for the BlueHat Podcast.

Nic Fillingham: If you have feedback, topic requests, or questions about this episode --

Wendy Zenone: Please email us at bluehat@microsoft.com. Or message us on Twitter @MSFTBlueHat.

Nic Fillingham: Be sure to subscribe for more conversations and insights from security researchers and responders across the industry --

Wendy Zenone: -- by visiting BlueHatpodcast.com or wherever you get your favorite podcasts.

The BlueHat Podcast
Podcast Info
HOST(S):
Nic Fillingham
Wendy Zenone
Nic Fillingham is a Senior Program Manager at Microsoft in the MSRC organization leading the BlueHat program. Originally from Australia, Nic has worked at Microsoft for almost 20 years across multiple continents, brands, and products. Nic created and co-hosted the Security Unlocked podcast and is passionate about promoting the work of security researchers and responders across the industry.
Wendy Zenone is a Senior Program Manager at Microsoft in the MSRC organization leading the STRIKE program. Wendy started her career through an all-women engineering boot camp after quitting her job while still having kids at home. She has worked at top tech companies like Facebook, Netflix, Salesforce, and now at Microsoft, focusing on various areas such as application security, bug bounty, corporate security, third-party risk management, privacy, and security training and awareness.
Schedule: Biweekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo. Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft
The BlueHat Podcast